US9405900B2 - Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems - Google Patents

Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems Download PDF

Info

Publication number
US9405900B2
US9405900B2 US13/801,496 US201313801496A US9405900B2 US 9405900 B2 US9405900 B2 US 9405900B2 US 201313801496 A US201313801496 A US 201313801496A US 9405900 B2 US9405900 B2 US 9405900B2
Authority
US
United States
Prior art keywords
control system
network
controller
rule set
intrusion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US13/801,496
Other versions
US20140283047A1 (en
Inventor
Paritosh Dixit
Daniel Thanos
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GE Infrastructure Technology LLC
Original Assignee
General Electric Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by General Electric Co filed Critical General Electric Co
Priority to US13/801,496 priority Critical patent/US9405900B2/en
Assigned to GENERAL ELECTRIC COMPANY reassignment GENERAL ELECTRIC COMPANY ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: Dixit, Paritosh, THANOS, DANIEL
Priority to BR102014004682A priority patent/BR102014004682A8/en
Priority to CA2844225A priority patent/CA2844225C/en
Priority to JP2014040025A priority patent/JP6302283B2/en
Priority to IN1209CH2014 priority patent/IN2014CH01209A/en
Priority to EP14158644.6A priority patent/EP2779569A1/en
Priority to CN201410092807.2A priority patent/CN104052730B/en
Priority to MX2014003067A priority patent/MX2014003067A/en
Publication of US20140283047A1 publication Critical patent/US20140283047A1/en
Publication of US9405900B2 publication Critical patent/US9405900B2/en
Application granted granted Critical
Assigned to GE INFRASTRUCTURE TECHNOLOGY LLC reassignment GE INFRASTRUCTURE TECHNOLOGY LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GENERAL ELECTRIC COMPANY
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02BCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO BUILDINGS, e.g. HOUSING, HOUSE APPLIANCES OR RELATED END-USER APPLICATIONS
    • Y02B70/00Technologies for an efficient end-user side electric power management and consumption
    • Y02B70/30Systems integrating technologies related to power network operation and communication or information technologies for improving the carbon footprint of the management of residential or tertiary loads, i.e. smart grids as climate change mitigation technology in the buildings sector, including also the last stages of power distribution and the control, monitoring or operating management systems at local level
    • Y02B70/34Smart metering supporting the carbon neutral operation of end-user applications in buildings
    • Y02B70/346
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S20/00Management or operation of end-user stationary applications or the last stages of power distribution; Controlling, monitoring or operating thereof
    • Y04S20/30Smart metering, e.g. specially adapted for remote reading
    • Y04S20/525
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • This disclosure related to an intrusion prevention system (IPS) that detects security breaches in a control system by monitoring the physical behavior of the control system.
  • IPS intrusion prevention system
  • an IPS may be configured to detect and/or prevent a digital intrusion into the control system, such as the industrial control system, by monitoring network communications in the control system.
  • the network IPS may look for indications of an intrusion and/or anomaly based on network parameters.
  • the network IPS may monitor parameters such as network traffic, file system access/modifications, or operating system/library calls. The monitored parameters may then be compared to rule sets to determine whether intrusions and/or anomalies are present in the control system.
  • intrusions may enable an unauthorized party to access a control system, such as an industrial control system, and cause unexpected behavior within the system. For example, the intrusion may cause the system to perform processes that were not requested.
  • the industrial control system may include devices such as turbines, generators, compressors, or combustors, it would be beneficial to improve the security in industrial control systems beyond network parameters.
  • a first embodiment provides a system including a device monitoring component configured to measure control system behavior and an intrusion prevention system communicatively coupled to the device monitoring component and a communications network.
  • the intrusion prevention system includes a control system analysis component configured to analyze the control system behavior measured by the device monitoring component against a first rule set to determine whether an anomaly, an intrusion, or both are present.
  • a second embodiment provides a tangible, non-transitory, computer-readable medium storing a plurality of instructions executable by a processor of an electronic device.
  • the instructions include instructions to receive communication packets, instructions to perform a first test, in which the communication packets are tested against a network rule set, instructions to receive control system measurements, in which the control system measurements are representative of control system behavior, instructions to perform a second test, in which the control system measurements are tested against a control system rule, instructions to correlate results from the first test and the second test, and instructions to determine whether an anomaly, an intrusion, or both are present in the industrial control system based on the correlated results.
  • a third embodiment provides a system including an intrusion prevention system communicatively coupled to a controller and a supervisory station.
  • the intrusion prevention system is configured to receive network communications sent between the supervisory station and the controller, and to determine whether an anomaly, an intrusion, or both are present based at least in part on a state of the controller, a state of the industrial control system, devices connected to the controller, or any combination thereof.
  • FIG. 1 is a block diagram of an intrusion prevention system (IPS) within an industrial control system
  • FIG. 2 is a block diagram of an embodiment of the intrusion prevention system (IPS) from FIG. 1 ;
  • IPS intrusion prevention system
  • FIG. 3 is a flowchart of an embodiment of a process suitable for determining whether an anomaly has occurred within an industrial control system
  • FIG. 4 is a flowchart of an embodiment of a process suitable for creating and/or modifying rule sets in an intrusion prevention system (IPS).
  • IPS intrusion prevention system
  • the present disclosure is generally directed towards an intrusion prevention system (IPS) disposed in a control system, such as an industrial control system, that may be configured to reduce the possibility of an intrusion entering the industrial control system.
  • intrusions refer to digital security breaches that may enter the industrial control system. When intrusions enter the industrial control system, they may cause anomalies within the industrial control system. In other words, intrusions may cause unexpected behavior within the industrial control system. For example, an intrusion may cause the industrial control system to transmit data through network connects that was not requested.
  • systems designed to reduce intrusions may be configured to monitor network connections in the industrial control system, such as network traffic, file system access/modifications, or operating system/library calls. However, additional parameters in the industrial control system may be monitored in order to improve the security of the industrial control system.
  • the present disclosure provides a system including a device monitoring component configured to measure control system behavior and an intrusion prevention system communicatively coupled to the device monitoring component and a communications network.
  • the intrusion prevention system includes a control system analysis component configured to analyze the control system behavior measured by the device monitoring component against a rule set to determine whether an anomaly has occurred.
  • the disclosed techniques also monitor physical parameters to better understand the industrial control system and better determine whether an anomaly and/or an intrusion is present in the industrial control system.
  • FIG. 1 illustrates an embodiment of an intrusion prevention system (IPS) 10 within an industrial control system 12 .
  • the industrial control system 12 such as an automated power generation system (e.g., gas, steam, wind, or water turbines, heat recovery steam generators (HRSG), gasification systems, combustion systems, electrical power generators, power grid automation system or similar automated power generation systems) or an automated manufacturing system (e.g., chemical plants, oil refineries, or similar manufacturing system), may include a supervisory station 14 , a cyber security monitoring/response system 15 , a controller 16 , devices, and a communications network 18 .
  • an automated power generation system e.g., gas, steam, wind, or water turbines, heat recovery steam generators (HRSG), gasification systems, combustion systems, electrical power generators, power grid automation system or similar automated power generation systems
  • an automated manufacturing system e.g., chemical plants, oil refineries, or similar manufacturing system
  • the supervisory station 14 and the controller 16 may be configured to send communication packets through the communications network 18 .
  • the communication packets may include control commands and/or data.
  • Various protocols may be used by the communications network 18 , such as Modbus remote terminal unit (RTU), Profibus, Conitel, International Electrotechnical Commission (IEC) 60870-5-101, IEC 60870-5-104, IEC 61850, Distributed Network Protocol (DNP) 3, or the like.
  • Some of the protocols may include Transmission Control Protocol and Internet Protocol (TCP/IP) extensions, which may enable the industrial control system to be accessible over the internet. Accordingly, one point of entry for an intrusion into the industrial control system 12 may be in the communications network 18 .
  • the controller 16 may be configured to control various devices, such as turbines 20 , sensors 22 , actuator 24 , and pumps 26 .
  • the controller 16 may be an intelligent electronic device configured to provide protection, control, and metering functions for power equipment, such as transformers, breakers, switches, motors, or generators.
  • the controller 16 may include a processing unit 28 , memory 30 , a storage device 32 , and a communications apparatus 34 configured to communicate with the devices.
  • a processing unit 28 a processor 30 , a memory 30 , a storage device 32 , and a communications apparatus 34 configured to communicate with the devices.
  • another entry point for an intrusion may be directly into the devices.
  • Other entry points for an intrusion may be directly into the controller 16 or the supervisory station 14 .
  • the depicted industrial control system 12 also includes the IPS 10 .
  • the IPS 10 may be a implemented in a computing device (e.g., computer, server, laptop, tablet, cell phone, mobile device, or similar processing or computing device) or in executable non-transitory computer instructions or code stored in a machine readable medium, such as the memory 30 of the controller 16 , the supervisory station 14 , the storage device 32 of the controller 16 , or a combination thereof.
  • the IPS 10 may be configured to monitor control system (i.e., physical) parameters to determine whether an anomaly and/or an intrusion are present.
  • the IPS 10 may be configured to monitor control system parameters, such as communication with devices, heat generation, or power usage, because they may be an accurate representation of the processes occurring within the industrial control system 12 .
  • control system parameters are generally based on the laws of physics which may be more difficult to circumvent.
  • the IPS includes a network analysis component 36 and a control system analysis component 38 .
  • the network analysis component 36 may be configured to analyze network parameters of communication packets sent over the communications network 30 , such as such as network traffic, file system access/modifications, or operating system/library calls, to determine whether an anomaly and/or an intrusion is present. Accordingly, the network analysis component 38 may be coupled to the communications network 18 and configured to receive the communication packets sent through the communications network 18 .
  • the control system analysis component 38 may be configured to analyze control system parameters, such as communication with devices, heat generation, or power usage, to determine whether an anomaly and/or intrusion has occurred.
  • the IPS 10 may further include a device monitoring component 40 configured to monitor measure control system (i.e., physical) parameters of the controller 16 and the devices (e.g., turbine 20 , sensor 22 , actuator 24 , pump 26 , or electrical assists 27 ) controlled by the controller 16 .
  • the device monitoring component 40 may be communicatively coupled to the controller 16 .
  • the device monitoring component 40 is located within the controller 16 and directly coupled to the processing unit 28 , the memory 30 , the storage device 32 , and the communications apparatus 34 .
  • the device monitoring component 40 may be implemented in a separate computing device or in executable non-transitory computer instructions stored in a machine readable medium, such as the memory 30 of the controller 16 , the supervisory station 14 , the storage device 32 of the controller 16 , or a combination thereof.
  • the device monitoring component 40 may be configured to measure control system (i.e., physical) parameters.
  • the measured control system (i.e., physical) parameters are the physical results of the operation of the industrial control system 10 . Accordingly, they may provide an indication of the processes taking place in the industrial control system 10 .
  • the device monitoring component 40 may measure the power usage or temperature of the processing unit 28 , monitor communication activity between the communications apparatus 34 and devices (e.g., turbine 20 , sensor 22 , actuator 24 , pump 26 , or electrical assists 27 ), or measure the timing of processes performed by the controller 16 .
  • the measured control system parameters may then be transmitted to the control system analysis component 10 and analyzed against the control system rule set to determine whether an anomaly and/or intrusion is present.
  • intrusions into the industrial control system 12 may cause unexpected behavior or anomalies in the industrial control system 12 .
  • the IPS 10 may communicate the anomaly to the supervising station 14 and/or the cyber security monitoring/response system 15 through an alarm.
  • the supervising station 14 and the cyber security monitoring/response system 15 may be configured to act as central systems to correlate the anomalies reported.
  • both may include human-machine interfaces (HMI) which enable an operator to further examine the anomalies.
  • HMI human-machine interfaces
  • an operator on the cyber security monitoring/response system 15 may determine that an anomaly is in fact a false positive and change the network rule set accordingly.
  • the operator may determine a response to the anomaly detected. In other words, the operator may be able to instruct the industrial control system 12 to take actions to ameliorate the anomalies.
  • the response may be automatically determined and communicated to the industrial control system 12 .
  • FIG. 2 illustrates one embodiment of the intrusion prevention system (IPS) 10 shown in FIG. 1 .
  • the network analysis component 36 includes a network monitoring component 42 and a network rule set processing component 44 , which includes a network rule set 46 .
  • the control system analysis component 38 includes a control system monitoring component 48 and a control system rule set processing component 50 , which includes a control system rule set 52 .
  • the IPS 10 is configured to receive communication packets from the communication network 18 and control system measurements from the device monitoring component 40 .
  • the communication packets may first enter the IPS 10 through the network monitoring component 42 .
  • the network monitoring component 42 may be configured to act as a gateway to the IPS 10 .
  • the communication packets are then passed to a network rule set processing component 44 .
  • the network rule set processing component 44 may be configured to analyze the communication packets against the network rule set 46 to determine whether a network anomaly and/or intrusion is present.
  • the control system measurements first enter the IPS 10 through the control system monitoring component 48 and are then passed to the control system rule set processing component 50 .
  • the control system rule set processing component 50 may be configured to analyze the control system measurements against the control system rule set 52 to determine whether a control system anomaly and/or intrusion is present.
  • FIG. 3 illustrates one embodiment of a process 54 used by the IPS 10 to determine whether an anomaly and/or an intrusion is present.
  • the process 54 may begin with the network monitoring component 42 receiving communication packets from the communication network 18 (block 56 ).
  • the communication packets may include control commands and/or data between the supervisory station 14 and the controller 16 .
  • the control commands may include file system access/modification, application/process calls, operating system calls, library calls, or any combination thereof.
  • the data may include measurements taken by devices, such as sensors 22 , coupled to the controller 16 .
  • the network rule set processing component 44 may test the received packets against the network rule set 46 (block 58 ) to determine whether the network rule set processing component 44 believes a network anomaly and/or intrusion is present.
  • the network rule set 46 may be configured to include a white list and a black list.
  • the white list may be a list of communication packets that the IPS 10 believes are not related to an intrusion and the black list may be a list of communication packets that the IPS 10 believes are related to an intrusion. In the instances where the communication packet does not fall within either the white list or the black list, it may be classified as a network anomaly because the IPS 10 may be unsure whether an intrusion is present.
  • the network rule set processing component 44 may be configured to look at the network communications contextually.
  • the network rule set processing component 44 may be configured to look at least in part at a state of the controller, a state of the industrial control system, devices connected to the controller, or any combination thereof.
  • a device e.g., turbines 20 , sensors 22 , actuator 24 , pumps 26 , or electrical assists 27
  • the network rule set processing component 44 determines that the communication packet is attempting to change a configuration, such as the electrical protection setting, the communication packet may be identified as a network anomaly.
  • the network rule set processing component 44 may identify a communication packet as a network anomaly if the communication packet is intended for a device, such as the turbine 20 , but the turbine 20 is not in the industrial control system 12 .
  • the process 54 may continue with the control system monitoring component 48 receiving the control system measurements from the device monitoring component 40 (block 60 ).
  • the device monitoring component 40 may be configured to make control system (i.e., physical) measurements on the industrial control system 12 , such as power usage of components in the controller, temperature of the components in the controller, timing of operations, input/output of the controller, telemetry data of devices coupled to the controller, or any combination thereof.
  • the device monitoring component 40 may measure the power usage or temperature of the processing unit 28 , monitor communication activity between the communications apparatus 34 and devices (e.g., turbine 20 , sensor 22 , actuator 24 , pump 26 , or electrical assists 27 ), or measure the timing of processes performed by the controller 16 .
  • the device monitoring component 40 may measure telemetry data of the devices, such as the speed the turbine 20 is rotating. It should be appreciated that the measured parameters represent the processes occurring within the industrial control system 12 .
  • control system rule set processing component 50 may test the received measurements against the control system rule set 52 (block 62 ) to determine whether the control system rule set processing component 50 believes a control system anomaly and/or an intrusion is present.
  • the control system rule set 52 may be configured to include a white list and a black list.
  • the white list may include appropriate measurement ranges for the measured parameter when control system anomalies are not present.
  • the black list may include threshold values that once met may signify an intrusion. It should be appreciated that when the measurement value does not fall within the white list range or above the black list threshold it may be classified as a control system anomaly.
  • the results from block 58 and block 62 may then be correlated (block 64 ) in a machine learning and correlated analysis component 68 in the IPS 10 to determine whether an intrusion and/or an anomaly are present (block 66 ).
  • the rule sets e.g., 46 and 52
  • the machine learning and correlated analysis component 68 may correlate the network anomalies, the control system anomalies, and intrusions to determine whether it believes an anomaly or intrusion is present.
  • a more accurate detection of intrusions and/or anomalies of the industrial control system 12 is achieved because using two rule sets (e.g., 46 and 52 ) may lower the possibility of false positives and missed anomalies and/or intrusions. Accordingly, instead of a strict following of the rule sets (e.g., 46 and 52 ) more leeway may be taken when detecting an anomaly and/or an intrusion.
  • the IPS 10 when an anomaly is detected, in addition to the response by the supervising station 14 and/or the cyber security monitoring/response system 15 , the IPS 10 itself may take further action.
  • the next action taken by the network rule set processing component 44 and the control system rule set processing component 50 may depend on what mode the IPS 10 is in. Specifically, when the IPS 10 is in a passive mode, the IPS 10 is configured to interfere as minimally in the operation of the industrial control system 12 as possible. Accordingly, the network rule set processing component 44 may be configured to send an alarm through the network monitoring component 42 to the cyber security monitoring/response system 15 .
  • control system rule set processing component 50 may be configured to send an alarm through the control system monitoring component 48 to the supervisory system 14 .
  • the IPS 10 is in an active mode, the IPS 10 is configured to actively protect the industrial control system 12 .
  • the network rule set processing component 44 may be configured to filter communication packets that are anomalies and the control system rule set processing component 50 may be configured to send a control system. For example, if the control system rule set processing component 50 determines that a detected anomaly will cause a device to act unexpectedly, the control system rule set processing component 50 may send a control signal to cease operation of the device.
  • the IPS 10 further may include the machine learning and correlated analysis component 68 .
  • the machine learning and correlation analysis component 54 may be configured to facilitate creating and modifying the rules sets (e.g., 46 and 52 ).
  • the cyber security monitoring/response system 15 and the supervisory station 14 may be configured to communicate false positives and false negatives to the IPS 10 .
  • the machine learning and correlated analysis component 68 may be configured to modify the rule sets (e.g., 46 and 52 ) accordingly.
  • the cyber security monitoring/response system 15 communicates the network false positives and false negatives to the network rule set processing component 44 and the supervisory station 14 communicates the control system false positives and false negatives to the control system rule set processing component 50 .
  • the false negatives and false positives are then communicated to the machine learning and correlated analysis component 68 .
  • FIG. 4 illustrates one embodiment of a process 70 configured to create and/or maintain the rule sets (e.g., 46 and 52 ).
  • the rule sets e.g., 46 and 52
  • the process 70 may begin by running a model (block 72 ).
  • the model may be a known set of operations with no intrusions present.
  • the IPS 10 reads the network parameters (block 74 ).
  • the network parameters may include the communication packets communicated between the controller 16 and the supervisory station 14 .
  • the IPS 10 reads the control system parameters (block 76 ).
  • control system parameters may include measurements from the device monitoring component 40 , such as power usage, temperature, timing, or device (e.g., 20 , 22 , 24 , 26 , or 27 ) telemetry.
  • the read network parameters and control systems parameters may then be used to create the rule sets (e.g., 46 and 52 ) (block 78 ) because they represent the expected parameters with no intrusions and/or anomalies present.
  • the IPS 10 may monitor the operation of the industrial control system 12 and determine whether anomalies and/or intrusions are present based on the rule sets (e.g., 46 and 52 ).
  • the rule sets may not be perfect. Accordingly, the rule sets (e.g., 46 and 52 ) may then be maintained/modified to better detect anomalies and/or intrusions.
  • the rule sets may be modified when the IPS 10 is in a maintenance mode (decision block 82 ).
  • the process 70 may check for false positive and/or false negatives from the cyber security monitoring response system 15 and the supervisory station 14 . Then, the IPS again reads the network parameters (block 74 ) and the control system parameters (block 76 ).
  • the rule sets may be modified based on the false positives, false negatives, read network parameters, and control system parameters. Because the industrial control system 12 may contain some intrusions and/or anomalies the IPS 10 may use algorithm, such as Bayesian classifiers, support vector machines, artificial neural networks, or evolutionary/genetic algorithms.
  • algorithm such as Bayesian classifiers, support vector machines, artificial neural networks, or evolutionary/genetic algorithms.
  • the disclosed techniques describe an intrusion prevention system (IPS) 10 configured to better understand the processes occurring in the industrial control system 12 .
  • the IPS 10 is configured to monitor both network parameters and control system parameters, such as power usage, temperature, timing, or telemetry data.
  • the IPS 10 may be configured to monitor the network parameters in the larger context of the industrial control system 12 .
  • the IPS 10 may be configured to create/modify the rule sets (e.g., 46 and 52 ) based on both the network parameters and the control system parameters.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

The embodiments described herein include a system and a method. In one embodiment, a system includes a device monitoring component configured to measure control system behavior and an intrusion prevention system communicatively coupled to the device monitoring component and a communications network. The intrusion prevention system includes a control system analysis component configured to analyze the control system behavior measured by the device monitoring component against a first rule set to determine whether an anomaly, an intrusion, or both are present.

Description

BACKGROUND
This disclosure related to an intrusion prevention system (IPS) that detects security breaches in a control system by monitoring the physical behavior of the control system.
Generally, an IPS may be configured to detect and/or prevent a digital intrusion into the control system, such as the industrial control system, by monitoring network communications in the control system. Specifically, the network IPS may look for indications of an intrusion and/or anomaly based on network parameters. For example, the network IPS may monitor parameters such as network traffic, file system access/modifications, or operating system/library calls. The monitored parameters may then be compared to rule sets to determine whether intrusions and/or anomalies are present in the control system.
Security breaches, referred to as intrusions, may enable an unauthorized party to access a control system, such as an industrial control system, and cause unexpected behavior within the system. For example, the intrusion may cause the system to perform processes that were not requested. Because the industrial control system may include devices such as turbines, generators, compressors, or combustors, it would be beneficial to improve the security in industrial control systems beyond network parameters.
BRIEF DESCRIPTION OF THE INVENTION
Certain embodiments commensurate in scope with the originally claimed invention are summarized below. These embodiments are not intended to limit the scope of the claimed invention, but rather these embodiments are intended only to provide a brief summary of possible forms of the invention. Indeed, the invention may encompass a variety of forms that may be similar to or different from the embodiments set forth below.
A first embodiment provides a system including a device monitoring component configured to measure control system behavior and an intrusion prevention system communicatively coupled to the device monitoring component and a communications network. The intrusion prevention system includes a control system analysis component configured to analyze the control system behavior measured by the device monitoring component against a first rule set to determine whether an anomaly, an intrusion, or both are present.
A second embodiment provides a tangible, non-transitory, computer-readable medium storing a plurality of instructions executable by a processor of an electronic device. The instructions include instructions to receive communication packets, instructions to perform a first test, in which the communication packets are tested against a network rule set, instructions to receive control system measurements, in which the control system measurements are representative of control system behavior, instructions to perform a second test, in which the control system measurements are tested against a control system rule, instructions to correlate results from the first test and the second test, and instructions to determine whether an anomaly, an intrusion, or both are present in the industrial control system based on the correlated results.
A third embodiment provides a system including an intrusion prevention system communicatively coupled to a controller and a supervisory station. The intrusion prevention system is configured to receive network communications sent between the supervisory station and the controller, and to determine whether an anomaly, an intrusion, or both are present based at least in part on a state of the controller, a state of the industrial control system, devices connected to the controller, or any combination thereof.
BRIEF DESCRIPTION OF THE DRAWINGS
These and other features, aspects, and advantages of the present invention will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:
FIG. 1 is a block diagram of an intrusion prevention system (IPS) within an industrial control system;
FIG. 2 is a block diagram of an embodiment of the intrusion prevention system (IPS) from FIG. 1;
FIG. 3 is a flowchart of an embodiment of a process suitable for determining whether an anomaly has occurred within an industrial control system; and
FIG. 4 is a flowchart of an embodiment of a process suitable for creating and/or modifying rule sets in an intrusion prevention system (IPS).
 DETAILED DESCRIPTION OF THE INVENTION
One or more specific embodiments of the present invention will be described below. In an effort to provide a concise description of these embodiments, all features of an actual implementation may not be described in the specification. It should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another. Moreover, it should be appreciated that such a development effort might be complex and time consuming, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure.
When introducing elements of various embodiments of the present invention, the articles “a,” “an,” “the,” and “said” are intended to mean that there are one or more of the elements. The terms “comprising,” “including,” and “having” are intended to be inclusive and mean that there may be additional elements other than the listed elements.
The present disclosure is generally directed towards an intrusion prevention system (IPS) disposed in a control system, such as an industrial control system, that may be configured to reduce the possibility of an intrusion entering the industrial control system. As used herein, intrusions refer to digital security breaches that may enter the industrial control system. When intrusions enter the industrial control system, they may cause anomalies within the industrial control system. In other words, intrusions may cause unexpected behavior within the industrial control system. For example, an intrusion may cause the industrial control system to transmit data through network connects that was not requested. Thus, systems designed to reduce intrusions may be configured to monitor network connections in the industrial control system, such as network traffic, file system access/modifications, or operating system/library calls. However, additional parameters in the industrial control system may be monitored in order to improve the security of the industrial control system.
Accordingly, the present disclosure provides a system including a device monitoring component configured to measure control system behavior and an intrusion prevention system communicatively coupled to the device monitoring component and a communications network. The intrusion prevention system includes a control system analysis component configured to analyze the control system behavior measured by the device monitoring component against a rule set to determine whether an anomaly has occurred. In other words, in addition to monitoring network parameters, the disclosed techniques also monitor physical parameters to better understand the industrial control system and better determine whether an anomaly and/or an intrusion is present in the industrial control system.
By way of introduction, FIG. 1 illustrates an embodiment of an intrusion prevention system (IPS) 10 within an industrial control system 12. The industrial control system 12, such as an automated power generation system (e.g., gas, steam, wind, or water turbines, heat recovery steam generators (HRSG), gasification systems, combustion systems, electrical power generators, power grid automation system or similar automated power generation systems) or an automated manufacturing system (e.g., chemical plants, oil refineries, or similar manufacturing system), may include a supervisory station 14, a cyber security monitoring/response system 15, a controller 16, devices, and a communications network 18.
The supervisory station 14 and the controller 16 may be configured to send communication packets through the communications network 18. Specifically, the communication packets may include control commands and/or data. Various protocols may be used by the communications network 18, such as Modbus remote terminal unit (RTU), Profibus, Conitel, International Electrotechnical Commission (IEC) 60870-5-101, IEC 60870-5-104, IEC 61850, Distributed Network Protocol (DNP) 3, or the like. Some of the protocols may include Transmission Control Protocol and Internet Protocol (TCP/IP) extensions, which may enable the industrial control system to be accessible over the internet. Accordingly, one point of entry for an intrusion into the industrial control system 12 may be in the communications network 18.
In addition, the controller 16 may be configured to control various devices, such as turbines 20, sensors 22, actuator 24, and pumps 26. Furthermore, in a substation configuration, the controller 16 may be an intelligent electronic device configured to provide protection, control, and metering functions for power equipment, such as transformers, breakers, switches, motors, or generators. Accordingly, the controller 16 may include a processing unit 28, memory 30, a storage device 32, and a communications apparatus 34 configured to communicate with the devices. Thus, another entry point for an intrusion may be directly into the devices. Other entry points for an intrusion may be directly into the controller 16 or the supervisory station 14.
The depicted industrial control system 12 also includes the IPS 10. The IPS 10 may be a implemented in a computing device (e.g., computer, server, laptop, tablet, cell phone, mobile device, or similar processing or computing device) or in executable non-transitory computer instructions or code stored in a machine readable medium, such as the memory 30 of the controller 16, the supervisory station 14, the storage device 32 of the controller 16, or a combination thereof. In addition to monitoring network parameters, the IPS 10 may be configured to monitor control system (i.e., physical) parameters to determine whether an anomaly and/or an intrusion are present. The IPS 10 may be configured to monitor control system parameters, such as communication with devices, heat generation, or power usage, because they may be an accurate representation of the processes occurring within the industrial control system 12. In other words, the control system parameters are generally based on the laws of physics which may be more difficult to circumvent. For example, because the temperature of a processor may be related to the processes the processor is performing, monitoring the temperature enables the IPS 10 to know if the processor is performing additional processes, such as those caused by an intrusion. Accordingly, the IPS includes a network analysis component 36 and a control system analysis component 38.
The network analysis component 36 may be configured to analyze network parameters of communication packets sent over the communications network 30, such as such as network traffic, file system access/modifications, or operating system/library calls, to determine whether an anomaly and/or an intrusion is present. Accordingly, the network analysis component 38 may be coupled to the communications network 18 and configured to receive the communication packets sent through the communications network 18.
Similarly, the control system analysis component 38 may be configured to analyze control system parameters, such as communication with devices, heat generation, or power usage, to determine whether an anomaly and/or intrusion has occurred. Thus, the IPS 10 may further include a device monitoring component 40 configured to monitor measure control system (i.e., physical) parameters of the controller 16 and the devices (e.g., turbine 20, sensor 22, actuator 24, pump 26, or electrical assists 27) controlled by the controller 16. Accordingly, the device monitoring component 40 may be communicatively coupled to the controller 16. In the depicted embodiment, the device monitoring component 40 is located within the controller 16 and directly coupled to the processing unit 28, the memory 30, the storage device 32, and the communications apparatus 34. Alternatively, the device monitoring component 40 may be implemented in a separate computing device or in executable non-transitory computer instructions stored in a machine readable medium, such as the memory 30 of the controller 16, the supervisory station 14, the storage device 32 of the controller 16, or a combination thereof.
As described above, the device monitoring component 40 may be configured to measure control system (i.e., physical) parameters. The measured control system (i.e., physical) parameters are the physical results of the operation of the industrial control system 10. Accordingly, they may provide an indication of the processes taking place in the industrial control system 10. For example, the device monitoring component 40 may measure the power usage or temperature of the processing unit 28, monitor communication activity between the communications apparatus 34 and devices (e.g., turbine 20, sensor 22, actuator 24, pump 26, or electrical assists 27), or measure the timing of processes performed by the controller 16. The measured control system parameters may then be transmitted to the control system analysis component 10 and analyzed against the control system rule set to determine whether an anomaly and/or intrusion is present.
As described above, intrusions into the industrial control system 12 may cause unexpected behavior or anomalies in the industrial control system 12. When an anomaly is detected, the IPS 10 may communicate the anomaly to the supervising station 14 and/or the cyber security monitoring/response system 15 through an alarm. The supervising station 14 and the cyber security monitoring/response system 15 may be configured to act as central systems to correlate the anomalies reported. In addition, both may include human-machine interfaces (HMI) which enable an operator to further examine the anomalies. For example, an operator on the cyber security monitoring/response system 15 may determine that an anomaly is in fact a false positive and change the network rule set accordingly. In addition, the operator may determine a response to the anomaly detected. In other words, the operator may be able to instruct the industrial control system 12 to take actions to ameliorate the anomalies. In some embodiments, the response may be automatically determined and communicated to the industrial control system 12.
FIG. 2 illustrates one embodiment of the intrusion prevention system (IPS) 10 shown in FIG. 1. In the depicted embodiment, the network analysis component 36 includes a network monitoring component 42 and a network rule set processing component 44, which includes a network rule set 46. Similarly, the control system analysis component 38 includes a control system monitoring component 48 and a control system rule set processing component 50, which includes a control system rule set 52.
As described above, the IPS 10 is configured to receive communication packets from the communication network 18 and control system measurements from the device monitoring component 40. The communication packets may first enter the IPS 10 through the network monitoring component 42. The network monitoring component 42 may be configured to act as a gateway to the IPS 10. The communication packets are then passed to a network rule set processing component 44. The network rule set processing component 44 may be configured to analyze the communication packets against the network rule set 46 to determine whether a network anomaly and/or intrusion is present. Similarly, the control system measurements first enter the IPS 10 through the control system monitoring component 48 and are then passed to the control system rule set processing component 50. The control system rule set processing component 50 may be configured to analyze the control system measurements against the control system rule set 52 to determine whether a control system anomaly and/or intrusion is present.
FIG. 3 illustrates one embodiment of a process 54 used by the IPS 10 to determine whether an anomaly and/or an intrusion is present. The process 54 may begin with the network monitoring component 42 receiving communication packets from the communication network 18 (block 56). As described above, the communication packets may include control commands and/or data between the supervisory station 14 and the controller 16. The control commands may include file system access/modification, application/process calls, operating system calls, library calls, or any combination thereof. The data may include measurements taken by devices, such as sensors 22, coupled to the controller 16.
Next, the network rule set processing component 44 may test the received packets against the network rule set 46 (block 58) to determine whether the network rule set processing component 44 believes a network anomaly and/or intrusion is present. The network rule set 46 may be configured to include a white list and a black list. The white list may be a list of communication packets that the IPS 10 believes are not related to an intrusion and the black list may be a list of communication packets that the IPS 10 believes are related to an intrusion. In the instances where the communication packet does not fall within either the white list or the black list, it may be classified as a network anomaly because the IPS 10 may be unsure whether an intrusion is present.
In addition, to better characterize the communication packets, the network rule set processing component 44 may be configured to look at the network communications contextually. In other words, the network rule set processing component 44 may be configured to look at least in part at a state of the controller, a state of the industrial control system, devices connected to the controller, or any combination thereof. For example, when a device (e.g., turbines 20, sensors 22, actuator 24, pumps 26, or electrical assists 27) is in a commissioned state, the device is operational and little changes to the configurations should be made. Accordingly, when the network rule set processing component 44 determines that the communication packet is attempting to change a configuration, such as the electrical protection setting, the communication packet may be identified as a network anomaly. Comparatively, when the device is in a configuration state, more changes to the configurations should be permitted to enable the device to be configured. Other states may include a maintenance state, an emergency state, or a security response state. Similarly, the network rule set processing component 44 may identify a communication packet as a network anomaly if the communication packet is intended for a device, such as the turbine 20, but the turbine 20 is not in the industrial control system 12.
The process 54 may continue with the control system monitoring component 48 receiving the control system measurements from the device monitoring component 40 (block 60). As described above, the device monitoring component 40 may be configured to make control system (i.e., physical) measurements on the industrial control system 12, such as power usage of components in the controller, temperature of the components in the controller, timing of operations, input/output of the controller, telemetry data of devices coupled to the controller, or any combination thereof. For example, the device monitoring component 40 may measure the power usage or temperature of the processing unit 28, monitor communication activity between the communications apparatus 34 and devices (e.g., turbine 20, sensor 22, actuator 24, pump 26, or electrical assists 27), or measure the timing of processes performed by the controller 16. In addition, the device monitoring component 40 may measure telemetry data of the devices, such as the speed the turbine 20 is rotating. It should be appreciated that the measured parameters represent the processes occurring within the industrial control system 12.
Next, the control system rule set processing component 50 may test the received measurements against the control system rule set 52 (block 62) to determine whether the control system rule set processing component 50 believes a control system anomaly and/or an intrusion is present. Again, the control system rule set 52 may be configured to include a white list and a black list. The white list may include appropriate measurement ranges for the measured parameter when control system anomalies are not present. The black list may include threshold values that once met may signify an intrusion. It should be appreciated that when the measurement value does not fall within the white list range or above the black list threshold it may be classified as a control system anomaly.
The results from block 58 and block 62 may then be correlated (block 64) in a machine learning and correlated analysis component 68 in the IPS 10 to determine whether an intrusion and/or an anomaly are present (block 66). As should be appreciated, the rule sets (e.g., 46 and 52) are not perfect and may return false positives or miss anomalies altogether (i.e., false negative). Accordingly, to achieve a more accurate representation of the industrial control system 12, the machine learning and correlated analysis component 68 may correlate the network anomalies, the control system anomalies, and intrusions to determine whether it believes an anomaly or intrusion is present. A more accurate detection of intrusions and/or anomalies of the industrial control system 12 is achieved because using two rule sets (e.g., 46 and 52) may lower the possibility of false positives and missed anomalies and/or intrusions. Accordingly, instead of a strict following of the rule sets (e.g., 46 and 52) more leeway may be taken when detecting an anomaly and/or an intrusion.
Returning to FIG. 2, when an anomaly is detected, in addition to the response by the supervising station 14 and/or the cyber security monitoring/response system 15, the IPS 10 itself may take further action. The next action taken by the network rule set processing component 44 and the control system rule set processing component 50 may depend on what mode the IPS 10 is in. Specifically, when the IPS 10 is in a passive mode, the IPS 10 is configured to interfere as minimally in the operation of the industrial control system 12 as possible. Accordingly, the network rule set processing component 44 may be configured to send an alarm through the network monitoring component 42 to the cyber security monitoring/response system 15. Similarly, the control system rule set processing component 50 may be configured to send an alarm through the control system monitoring component 48 to the supervisory system 14. When the IPS 10 is in an active mode, the IPS 10 is configured to actively protect the industrial control system 12. Accordingly, the network rule set processing component 44 may be configured to filter communication packets that are anomalies and the control system rule set processing component 50 may be configured to send a control system. For example, if the control system rule set processing component 50 determines that a detected anomaly will cause a device to act unexpectedly, the control system rule set processing component 50 may send a control signal to cease operation of the device.
As described above, the IPS 10 further may include the machine learning and correlated analysis component 68. The machine learning and correlation analysis component 54 may be configured to facilitate creating and modifying the rules sets (e.g., 46 and 52). In the depicted embodiment, the cyber security monitoring/response system 15 and the supervisory station 14 may be configured to communicate false positives and false negatives to the IPS 10. The machine learning and correlated analysis component 68 may be configured to modify the rule sets (e.g., 46 and 52) accordingly. Specifically, in the depicted embodiment, the cyber security monitoring/response system 15 communicates the network false positives and false negatives to the network rule set processing component 44 and the supervisory station 14 communicates the control system false positives and false negatives to the control system rule set processing component 50. The false negatives and false positives are then communicated to the machine learning and correlated analysis component 68.
FIG. 4 illustrates one embodiment of a process 70 configured to create and/or maintain the rule sets (e.g., 46 and 52). When the IPS 10 is in a configuration/training mode, the rule sets (e.g., 46 and 52) may be created based on a model. Accordingly, when the IPS 10 is in a configuration/training mode, the process 70 may begin by running a model (block 72). The model may be a known set of operations with no intrusions present. Next, the IPS 10 reads the network parameters (block 74). As described above, the network parameters may include the communication packets communicated between the controller 16 and the supervisory station 14. Similarly, the IPS 10 reads the control system parameters (block 76). As described above, the control system parameters may include measurements from the device monitoring component 40, such as power usage, temperature, timing, or device (e.g., 20, 22, 24, 26, or 27) telemetry. The read network parameters and control systems parameters may then be used to create the rule sets (e.g., 46 and 52) (block 78) because they represent the expected parameters with no intrusions and/or anomalies present. Once the rule sets (e.g., 46 and 52) are created, the IPS 10 may monitor the operation of the industrial control system 12 and determine whether anomalies and/or intrusions are present based on the rule sets (e.g., 46 and 52).
As described above, the rule sets (e.g., 46 and 52) may not be perfect. Accordingly, the rule sets (e.g., 46 and 52) may then be maintained/modified to better detect anomalies and/or intrusions. The rule sets (e.g., 46 and 52) may be modified when the IPS 10 is in a maintenance mode (decision block 82). When the IPS 10 is in a maintenance mode, the process 70 may check for false positive and/or false negatives from the cyber security monitoring response system 15 and the supervisory station 14. Then, the IPS again reads the network parameters (block 74) and the control system parameters (block 76). Accordingly, the rule sets (e.g., 46 and 52) may be modified based on the false positives, false negatives, read network parameters, and control system parameters. Because the industrial control system 12 may contain some intrusions and/or anomalies the IPS 10 may use algorithm, such as Bayesian classifiers, support vector machines, artificial neural networks, or evolutionary/genetic algorithms.
Technical effects of the disclosed embodiments include improving the security in industrial control system 12. Specifically, the disclosed techniques describe an intrusion prevention system (IPS) 10 configured to better understand the processes occurring in the industrial control system 12. For example, the IPS 10 is configured to monitor both network parameters and control system parameters, such as power usage, temperature, timing, or telemetry data. In addition, the IPS 10 may be configured to monitor the network parameters in the larger context of the industrial control system 12. Finally, the IPS 10 may be configured to create/modify the rule sets (e.g., 46 and 52) based on both the network parameters and the control system parameters.
This written description uses examples to disclose the invention, including the best mode, and also to enable any person skilled in the art to practice the invention, including making and using any devices or systems and performing any incorporated methods. The patentable scope of the invention is defined by the claims, and may include other examples that occur to those skilled in the art. Such other examples are intended to be within the scope of the claims if they have structural elements that do not differ from the literal language of the claims, or if they include equivalent structural elements with insubstantial differences from the literal language of the claims.

Claims (20)

The invention claimed is:
1. A system comprising:
a device monitoring component configured to measure control system behavior; and
an intrusion prevention system communicatively coupled to the device monitoring component and a communications network, wherein the intrusion prevention system includes:
a control system analysis component configured to analyze the control system behavior measured by the device monitoring component against a first rule set;
a network analysis component configured to analyze network parameters of communication packets transmitted over the communications network against a second rule set by performing a comparison between the network parameters and data included in a first list and in a second list and classifying the communication packets as at least one of an anomaly and an intrusion based on a result of the comparison; and
a machine learning and correlated analysis component configured to:
correlate results from the control system analysis component and the network analysis component;
determine when the correlated results lead to a false positive or a false negative; and
modify the first rule set and the second rule set when a false positive or a false negative is detected.
2. The system of claim 1, wherein the first rule set and the second rule set are modified when the intrusion prevention system is in a maintenance mode.
3. The system of claim 1, wherein the control system behavior comprises behavior of a controller when the device monitoring component is communicatively coupled to the controller.
4. The system of claim 3, wherein the controller behavior includes power usage of components in the controller, temperature of the components in the controller, timing of operations, input/output of the controller, telemetry data of devices coupled to the controller, or any combination thereof.
5. The system of claim 4, wherein the component in the controller includes a processing unit, memory, a storage device, and a communication apparatus.
6. The system of claim 3, wherein the device monitoring component is located in the controller.
7. The system of claim 3, wherein the device monitoring component comprises a separate device from the controller.
8. The system of claim 1, wherein the network parameters include network traffic, file system access/modifications, operating system/library calls, or any combination thereof.
9. The system of claim 1, wherein the system is an industrial control system comprising a gas turbine system, a gasification system, a steam turbine system, a wind turbine system, a water turbine system, a power generation system, a power grid automation system, or any combination thereof.
10. A tangible, non-transitory, computer-readable medium storing instructions, that when executed by a processor, cause the processor to perform operations comprising:
executing a model that simulates operation of an industrial control system, wherein the model does not contain intrusions;
determining network parameters of communication packets transmitted when executing the model;
generating a network rule set based at least in part on the network parameters;
determining control system parameters measured when running the model;
generating a control system rule set based at least in part on the control system parameters, wherein the control system rule set and the network rule set are configured to be used to detect whether an intrusion is present during operation of the industrial control system;
performing a comparison between the network parameters and data included in a first list and in a second list; and
classifying the communication packets as an intrusion based on a result of the comparison.
11. The medium of claim 10, wherein the operations further comprise testing control system measurements against the control system rule set.
12. The medium of claim 10, wherein the communications packets include communication packets sent between a controller and a supervisory station.
13. The medium of claim 10, wherein the industrial control system comprises a gas turbine system, a gasification system, a steam turbine system, a wind turbine system, a water turbine system, a power generation system, a power grid automation system, or any combination thereof.
14. The medium of claim 10, wherein the operations further comprise:
operating the industrial control system;
receiving the communication packets from a communication network in the industrial control system;
receiving control system measurements from one or more sensors in the industrial control system; and
analyzing the control system measurements against the control system rule set.
15. The medium of claim 10, wherein the operation further comprise:
operating the industrial control system;
determining when a false negative or a false positive is detected using the network rule set and the control system rule set; and
modifying the network rule set and the control system rule set to reduce possibility of future false negatives or false positives.
16. A system comprising:
an intrusion prevention system communicatively coupled to a controller and a supervisory station in an industrial system, wherein the intrusion prevention system is configured to:
receive network communications sent between the supervisory station and the controller; and
analyze network parameters of communication packets associated with the network communications against a rule set to determine whether an anomaly, an intrusion, or both are present based on a comparison between the network parameters and data included in a first list and in a second list and based on at least in part on a state of the controller, a state of the industrial control system, or both;
wherein possible states of the controller comprise a commissioned or operational state, a maintenance state, a configuration state, an emergency state, and a security response state and possible states of the industrial control system comprise a commissioned or operational state, a maintenance state, a configuration state, an energy state, and security response state.
17. The system of claim 16, wherein, when the controller is in the commission or operational state, the intrusion prevention system is configured to detect an anomaly, an intrusion, or both when the network communications comprise instructions to adjust operation of the controller.
18. The system of claim 16, wherein the intrusion system is configured to determine whether an anomaly, an intrusion, or both are present based at least in part on what devices are connected to the controller.
19. The system of claim 18, wherein the devices connected to the controller includes turbine systems, sensors, pumps, actuators, valves, transformers, breakers, switches, motors, generators, or any combination thereof.
20. The system of claim 16, wherein the system comprises the industrial control system comprising a gas turbine system, a gasification system, a steam turbine system, a wind turbine system, a water turbine system, a power generation system, a power grid automation system, or any combination thereof.
US13/801,496 2013-03-13 2013-03-13 Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems Active US9405900B2 (en)

Priority Applications (8)

Application Number Priority Date Filing Date Title
US13/801,496 US9405900B2 (en) 2013-03-13 2013-03-13 Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems
BR102014004682A BR102014004682A8 (en) 2013-03-13 2014-02-27 computer readable system and media
CA2844225A CA2844225C (en) 2013-03-13 2014-02-27 Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems
JP2014040025A JP6302283B2 (en) 2013-03-13 2014-03-03 Intelligent cyber-physical intrusion detection and prevention system and method for industrial control systems
IN1209CH2014 IN2014CH01209A (en) 2013-03-13 2014-03-10
EP14158644.6A EP2779569A1 (en) 2013-03-13 2014-03-10 Intelligent cyberphysical instrusion detection and prevention systems and methods for industrial control systems
CN201410092807.2A CN104052730B (en) 2013-03-13 2014-03-13 The intrusion detection of intelligent computer physics and system of defense and method for industrial control system
MX2014003067A MX2014003067A (en) 2013-03-13 2014-03-13 Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems.

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US13/801,496 US9405900B2 (en) 2013-03-13 2013-03-13 Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems

Publications (2)

Publication Number Publication Date
US20140283047A1 US20140283047A1 (en) 2014-09-18
US9405900B2 true US9405900B2 (en) 2016-08-02

Family

ID=50336076

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/801,496 Active US9405900B2 (en) 2013-03-13 2013-03-13 Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems

Country Status (8)

Country Link
US (1) US9405900B2 (en)
EP (1) EP2779569A1 (en)
JP (1) JP6302283B2 (en)
CN (1) CN104052730B (en)
BR (1) BR102014004682A8 (en)
CA (1) CA2844225C (en)
IN (1) IN2014CH01209A (en)
MX (1) MX2014003067A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150356445A1 (en) * 2014-06-05 2015-12-10 International Business Machines Corporation Data loss prevention to remove false positives
US10204226B2 (en) 2016-12-07 2019-02-12 General Electric Company Feature and boundary tuning for threat detection in industrial asset control system
US10397257B2 (en) 2016-12-07 2019-08-27 General Electric Company Multi-mode boundary selection for threat detection in industrial asset control system
US10397245B2 (en) * 2014-10-14 2019-08-27 Sicpa Holding Sa Interface with secure intermediary platform to generate data compatible with an external system in an oil and gas asset supply chain
US10623416B2 (en) 2018-01-31 2020-04-14 International Business Machines Corporation Torrent attack detection
US10678912B2 (en) 2016-11-15 2020-06-09 General Electric Company Dynamic normalization of monitoring node data for threat detection in industrial asset control system
US10785237B2 (en) * 2018-01-19 2020-09-22 General Electric Company Learning method and system for separating independent and dependent attacks
US10943186B2 (en) 2017-11-22 2021-03-09 Advanced New Technologies Co., Ltd. Machine learning model training method and device, and electronic device
US10956578B2 (en) 2018-10-05 2021-03-23 General Electric Company Framework for determining resilient manifolds
US11171976B2 (en) 2018-10-03 2021-11-09 Raytheon Technologies Corporation Cyber monitor segmented processing for control systems
US20220141241A1 (en) * 2020-11-05 2022-05-05 Kabushiki Kaisha Toshiba Information processing apparatus, computer program product, and information processing system
US11343266B2 (en) 2019-06-10 2022-05-24 General Electric Company Self-certified security for assured cyber-physical systems
US11411874B2 (en) 2018-01-29 2022-08-09 Ge Aviation Systems Limited Configurable network switch for industrial control systems including deterministic networks
US11494252B2 (en) 2018-12-28 2022-11-08 AO Kaspersky Lab System and method for detecting anomalies in cyber-physical system with determined characteristics
US11790081B2 (en) 2021-04-14 2023-10-17 General Electric Company Systems and methods for controlling an industrial asset in the presence of a cyber-attack

Families Citing this family (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9660994B2 (en) * 2014-09-30 2017-05-23 Schneider Electric USA, Inc. SCADA intrusion detection systems
CN104392172B (en) * 2014-10-30 2017-07-04 北京科技大学 A kind of safety detection method and system based on Embedded industrial system
JP6322590B2 (en) * 2015-02-05 2018-05-09 日本電信電話株式会社 Terminal detection system and method
US10051059B2 (en) * 2015-06-05 2018-08-14 Fisher-Rosemount Systems, Inc. Methods and apparatus to control communications of endpoints in an industrial enterprise system based on integrity
CN105404607B (en) * 2015-11-20 2018-02-13 英业达科技有限公司 The data transmission method of general serial input and output
JP6693114B2 (en) * 2015-12-15 2020-05-13 横河電機株式会社 Controller and integrated production system
JP2017129894A (en) * 2016-01-18 2017-07-27 三菱電機株式会社 Cyberattack detection system
US9979675B2 (en) * 2016-02-26 2018-05-22 Microsoft Technology Licensing, Llc Anomaly detection and classification using telemetry data
US10027699B2 (en) * 2016-03-10 2018-07-17 Siemens Aktiengesellschaft Production process knowledge-based intrusion detection for industrial control systems
CN105812371B (en) * 2016-03-17 2019-01-25 电子科技大学 DNP communications access control method neural network based
US10623437B2 (en) * 2016-04-01 2020-04-14 Doble Engineering Company Secured method for testing and maintenance of bulk electrical systems (BES) assets
CN109074453B (en) 2016-04-26 2021-10-26 三菱电机株式会社 Intrusion detection device, intrusion detection method, and computer-readable storage medium
JP6650343B2 (en) 2016-05-16 2020-02-19 株式会社日立製作所 Illegal communication detection system and unauthorized communication detection method
US11005863B2 (en) * 2016-06-10 2021-05-11 General Electric Company Threat detection and localization for monitoring nodes of an industrial asset control system
US10417425B2 (en) 2016-06-13 2019-09-17 The Trustees Of Columbia University In The City Of New York Secured cyber-physical systems
EP3460701A4 (en) * 2016-06-23 2019-05-22 Mitsubishi Electric Corporation Intrusion detection device and intrusion detection program
SG10201912502QA (en) * 2016-09-07 2020-02-27 Univ Singapore Technology & Design Defense system and method against cyber-physical attacks
US10262143B2 (en) 2016-09-13 2019-04-16 The Mitre Corporation System and method for modeling and analyzing the impact of cyber-security events on cyber-physical systems
JP6448878B2 (en) 2016-09-26 2019-01-09 三菱電機株式会社 Signal processing apparatus, signal processing method, and signal processing program
US10819719B2 (en) * 2016-10-11 2020-10-27 General Electric Company Systems and methods for protecting a physical asset against a threat
US9961089B1 (en) * 2016-10-20 2018-05-01 Mitsubishi Electric Research Laboratories, Inc. Distributed estimation and detection of anomalies in control systems
CN106506486A (en) * 2016-11-03 2017-03-15 上海三零卫士信息安全有限公司 A kind of intelligent industrial-control network information security monitoring method based on white list matrix
US10417415B2 (en) * 2016-12-06 2019-09-17 General Electric Company Automated attack localization and detection
CN106773719A (en) * 2017-01-25 2017-05-31 上海云剑信息技术有限公司 A kind of industrial control system leak automatic mining method based on BP neural network
US10728264B2 (en) * 2017-02-15 2020-07-28 Micro Focus Llc Characterizing behavior anomaly analysis performance based on threat intelligence
CN107067619B (en) * 2017-03-21 2020-02-11 上海斐讯数据通信技术有限公司 Anti-theft method and system based on network
US10476902B2 (en) * 2017-04-26 2019-11-12 General Electric Company Threat detection for a fleet of industrial assets
JP2018185712A (en) * 2017-04-27 2018-11-22 株式会社日立製作所 Security monitoring system and security monitoring method
JP2019030218A (en) * 2017-08-01 2019-02-21 国立大学法人電気通信大学 Physical function exception processing method in cyber physical system such as humanoid robot
DE102017214203A1 (en) * 2017-08-15 2019-02-21 KSB SE & Co. KGaA Cyber attack cavitation protection method and apparatus for performing the method
AU2018316966B2 (en) * 2017-08-18 2021-10-07 Nippon Telegraph And Telephone Corporation Intrusion prevention device, intrusion prevention method, and program
US10686806B2 (en) * 2017-08-21 2020-06-16 General Electric Company Multi-class decision system for categorizing industrial asset attack and fault types
US10505955B2 (en) * 2017-08-22 2019-12-10 General Electric Company Using virtual sensors to accommodate industrial asset control systems during cyber attacks
US10831890B2 (en) * 2017-09-19 2020-11-10 Palo Alto Research Center Incorporated Method and system for detecting attacks on cyber-physical systems using redundant devices and smart contracts
CN111316177A (en) * 2017-11-15 2020-06-19 Ksb股份有限公司 Method and apparatus for protecting a pump assembly from network attacks
CN108055282A (en) * 2017-12-28 2018-05-18 国网浙江省电力有限公司电力科学研究院 Industry control abnormal behaviour analysis method and system based on self study white list
CN110224969A (en) * 2018-03-01 2019-09-10 中兴通讯股份有限公司 The processing method and processing device of data
CN110224970B (en) 2018-03-01 2021-11-23 西门子公司 Safety monitoring method and device for industrial control system
JP7200496B2 (en) 2018-03-30 2023-01-10 日本電気株式会社 Information processing device, control method, and program
JP7071876B2 (en) * 2018-05-25 2022-05-19 株式会社東芝 Control system and error factor determination method
EP3611587A1 (en) * 2018-08-16 2020-02-19 Siemens Aktiengesellschaft System for controlling and monitoring of adaptive cyber physical systems
US11297082B2 (en) * 2018-08-17 2022-04-05 Nec Corporation Protocol-independent anomaly detection
US10990668B2 (en) 2018-09-17 2021-04-27 General Electric Company Local and global decision fusion for cyber-physical system abnormality detection
CN109766694B (en) * 2018-12-29 2021-09-03 北京威努特技术有限公司 Program protocol white list linkage method and device of industrial control host
WO2020209837A1 (en) * 2019-04-09 2020-10-15 Siemens Aktiengesellschaft Industrial process system threat detection
EP3751813B1 (en) * 2019-06-13 2023-03-22 ABB Schweiz AG Device and method for performing threat detection and/or mitigation
CN113958377B (en) * 2020-07-03 2023-04-07 东方电气股份有限公司 Real-time online monitoring system and method for network security of steam turbine
US20240028010A1 (en) * 2020-09-29 2024-01-25 Fanuc Corporation Network relay device
WO2022177991A1 (en) * 2021-02-16 2022-08-25 Ap Cyber Llc Firewall gateway device and related methods for protecting distributed energy resources and other operational technologies against cyberattacks
CN114137934A (en) * 2021-11-23 2022-03-04 国网江西省电力有限公司电力科学研究院 Industrial control system with intrusion detection function and detection method
CN114884754B (en) * 2022-07-11 2022-09-23 深圳特科动力技术有限公司 Network security system for realizing fault prediction by intelligent analysis

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0645644A1 (en) 1993-08-08 1995-03-29 State Of Israel - Ministry Of Defence Intrusion detector
US6980927B2 (en) 2002-11-27 2005-12-27 Telos Corporation Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing continuous risk assessment
US20090217385A1 (en) 2005-05-13 2009-08-27 Kha Sin Teow Cryptographic control for mobile storage means
US20100058072A1 (en) 2005-05-13 2010-03-04 Kha Sin Teow Content cryptographic firewall system
US7954160B2 (en) 2005-03-14 2011-05-31 International Business Machines Corporation Computer security intrusion detection system for remote, on-demand users
US7966659B1 (en) * 2006-04-18 2011-06-21 Rockwell Automation Technologies, Inc. Distributed learn mode for configuring a firewall, security authority, intrusion detection/prevention devices, and the like
US20110208849A1 (en) 2010-02-25 2011-08-25 General Electric Company Method and system for security maintenance in a network
US20110288692A1 (en) * 2010-05-20 2011-11-24 Accenture Global Services Gmbh Malicious attack detection and analysis
US20120106406A1 (en) * 2009-07-13 2012-05-03 Zte Corporation Time division duplexing (TDD) style-based data transmission method and apparatus
US20120304007A1 (en) 2011-05-23 2012-11-29 Hanks Carl J Methods and systems for use in identifying abnormal behavior in a control system
US20130086680A1 (en) 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network
US20130086635A1 (en) 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network
US8656492B2 (en) 2011-05-16 2014-02-18 General Electric Company Systems, methods, and apparatus for network intrusion detection

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0645644A1 (en) 1993-08-08 1995-03-29 State Of Israel - Ministry Of Defence Intrusion detector
US6980927B2 (en) 2002-11-27 2005-12-27 Telos Corporation Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing continuous risk assessment
US7954160B2 (en) 2005-03-14 2011-05-31 International Business Machines Corporation Computer security intrusion detection system for remote, on-demand users
US20090217385A1 (en) 2005-05-13 2009-08-27 Kha Sin Teow Cryptographic control for mobile storage means
US20100058072A1 (en) 2005-05-13 2010-03-04 Kha Sin Teow Content cryptographic firewall system
US7966659B1 (en) * 2006-04-18 2011-06-21 Rockwell Automation Technologies, Inc. Distributed learn mode for configuring a firewall, security authority, intrusion detection/prevention devices, and the like
US20120106406A1 (en) * 2009-07-13 2012-05-03 Zte Corporation Time division duplexing (TDD) style-based data transmission method and apparatus
US20110208849A1 (en) 2010-02-25 2011-08-25 General Electric Company Method and system for security maintenance in a network
US20110288692A1 (en) * 2010-05-20 2011-11-24 Accenture Global Services Gmbh Malicious attack detection and analysis
US8656492B2 (en) 2011-05-16 2014-02-18 General Electric Company Systems, methods, and apparatus for network intrusion detection
US20120304007A1 (en) 2011-05-23 2012-11-29 Hanks Carl J Methods and systems for use in identifying abnormal behavior in a control system
US20130086680A1 (en) 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network
US20130086635A1 (en) 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
European Search Report and Opinion issued in connection with corresponding EP Application No. 14158644.6 on Jun. 24, 2014.
Knapp, "Chapter 7: Establishing Secure Enclaves; Chapter 8: Exception, Anomaly, and Threat Detection; Chapter 9: Monitoring Enclaves", Industrial Network Security. Securing critical infrastructure networks for smart grid, SCADA, and other indurstial control systems, pp. 147-247, Aug. 31, 2011.

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9734450B2 (en) * 2014-06-05 2017-08-15 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Data loss prevention to remove false positives
US20150356445A1 (en) * 2014-06-05 2015-12-10 International Business Machines Corporation Data loss prevention to remove false positives
US10397245B2 (en) * 2014-10-14 2019-08-27 Sicpa Holding Sa Interface with secure intermediary platform to generate data compatible with an external system in an oil and gas asset supply chain
US10678912B2 (en) 2016-11-15 2020-06-09 General Electric Company Dynamic normalization of monitoring node data for threat detection in industrial asset control system
US10204226B2 (en) 2016-12-07 2019-02-12 General Electric Company Feature and boundary tuning for threat detection in industrial asset control system
US10397257B2 (en) 2016-12-07 2019-08-27 General Electric Company Multi-mode boundary selection for threat detection in industrial asset control system
US10943186B2 (en) 2017-11-22 2021-03-09 Advanced New Technologies Co., Ltd. Machine learning model training method and device, and electronic device
US10785237B2 (en) * 2018-01-19 2020-09-22 General Electric Company Learning method and system for separating independent and dependent attacks
US11411874B2 (en) 2018-01-29 2022-08-09 Ge Aviation Systems Limited Configurable network switch for industrial control systems including deterministic networks
US11765091B2 (en) 2018-01-29 2023-09-19 Ge Aviation Systems Limited Configurable network switch for industrial control systems including deterministic networks
US10623416B2 (en) 2018-01-31 2020-04-14 International Business Machines Corporation Torrent attack detection
US11171976B2 (en) 2018-10-03 2021-11-09 Raytheon Technologies Corporation Cyber monitor segmented processing for control systems
US10956578B2 (en) 2018-10-05 2021-03-23 General Electric Company Framework for determining resilient manifolds
US11494252B2 (en) 2018-12-28 2022-11-08 AO Kaspersky Lab System and method for detecting anomalies in cyber-physical system with determined characteristics
US11343266B2 (en) 2019-06-10 2022-05-24 General Electric Company Self-certified security for assured cyber-physical systems
US20220141241A1 (en) * 2020-11-05 2022-05-05 Kabushiki Kaisha Toshiba Information processing apparatus, computer program product, and information processing system
US11770395B2 (en) * 2020-11-05 2023-09-26 Kabushiki Kaisha Toshiba Information processing apparatus, computer program product, and information processing system
US11790081B2 (en) 2021-04-14 2023-10-17 General Electric Company Systems and methods for controlling an industrial asset in the presence of a cyber-attack

Also Published As

Publication number Publication date
IN2014CH01209A (en) 2015-05-29
JP6302283B2 (en) 2018-03-28
JP2014179074A (en) 2014-09-25
MX2014003067A (en) 2014-09-16
BR102014004682A8 (en) 2016-06-21
CA2844225C (en) 2020-12-29
BR102014004682A2 (en) 2016-02-02
CN104052730B (en) 2019-07-02
CN104052730A (en) 2014-09-17
CA2844225A1 (en) 2014-09-13
EP2779569A1 (en) 2014-09-17
US20140283047A1 (en) 2014-09-18

Similar Documents

Publication Publication Date Title
US9405900B2 (en) Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems
Ahmed et al. Programmable logic controller forensics
CN105763392B (en) A kind of industry control agreement fuzz testing method based on protocol status
US20160330225A1 (en) Systems, Methods, and Devices for Detecting Anomalies in an Industrial Control System
US11689544B2 (en) Intrusion detection via semantic fuzzing and message provenance
JP2018170006A (en) Generic framework to detect cyber threats in electric power grid
Chabukswar et al. Detecting integrity attacks on SCADA systems
Parthasarathy et al. Bloom filter based intrusion detection for smart grid SCADA
EP3804268A1 (en) System and method for anomaly and cyber-threat detection in a wind turbine
Chavez et al. Hybrid intrusion detection system design for distributed energy resource systems
Yang et al. iFinger: Intrusion detection in industrial control systems via register-based fingerprinting
Yau et al. PLC forensics based on control program logic change detection
Orojloo et al. Modelling and evaluation of the security of cyber‐physical systems using stochastic Petri nets
CN112866262B (en) Power plant safety I area situation perception platform based on neural network
Iturbe et al. On the feasibility of distinguishing between process disturbances and intrusions in process control systems using multivariate statistical process control
Satyanarayana Detection and blocking of replay, false command, and false access injection commands in scada systems with modbus protocol
Akbarian et al. A security framework in digital twins for cloud-based industrial control systems: Intrusion detection and mitigation
Flosbach et al. Architecture and prototype implementation for process-aware intrusion detection in electrical grids
Havlena et al. Accurate Automata-Based Detection of Cyber Threats in Smart Grid Communication
Rrushi et al. Detecting anomalies in process control networks
Hill et al. Using bro with a simulation model to detect cyber-physical attacks in a nuclear reactor
Hossain-McKenzie et al. Adaptive, cyber-physical special protection schemes to defend the electric grid against predictable and unpredictable disturbances
Januário et al. Resilience enhancement in cyber-physical systems: A multiagent-based framework
Leao et al. Machine learning-based false data injection attack detection and localization in power grids
Cabus et al. Security Considerations for Remote Terminal Units

Legal Events

Date Code Title Description
AS Assignment

Owner name: GENERAL ELECTRIC COMPANY, NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DIXIT, PARITOSH;THANOS, DANIEL;REEL/FRAME:030100/0201

Effective date: 20130215

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

AS Assignment

Owner name: GE INFRASTRUCTURE TECHNOLOGY LLC, SOUTH CAROLINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:GENERAL ELECTRIC COMPANY;REEL/FRAME:065727/0001

Effective date: 20231110

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8